HIP – 25 Techniques to Gather Threat Intel and Track Actors (Wayne Huang, Sun Huang)


The last talk of this Hack in Paris 2017 was given by two speakers:

  • Wayne Huang , founder and CEO of Armorize Technologies, VP Engineering at Proofpoint
  • Sun Huang, Senior Threat Researcher at Proofpoint

In this talk, speakers presented 25 techniques to gather threat intelligence and tracks actors, that is to say people who developed malware and used against targdzets. Threat intelligence harvested from these actors allowed researcher to understand how these people work, their daily operation, their methodologies and tools they used to attack targets.

The important thing to understand before following this talk is the key difference between raw data or processed information and real intelligence. Where a data is a raw, unorganized fact, Information is the result of processed and organized data in a given context. An information can be true, false, misleading, incomplete, relevant, or irrelevant; In contrary, Intelligence is Accurate, timely, complete (as possible), assessed for relevancy. In addition, Intelligence is aggregated from reliable sources and cross correlated for accuracy.

There are four types of Threat Intelligence:

  • Tactical: how threat actors are conducting attacks. Tactical threat intelligence is consumed by defenders and incident responders to ensure that their defenses, alerting and Investigations are prepared for current tactics
  • Operational: specific impending attacks against the organization and is initially consumed by higher-level security staff
  • Strategic: identify trends. High-level information on changing risk
  • Technical: information (or, more often, data) that is normally consumed through technical means. An example would be a feed of IP addresses suspected of being malicious orimplicated as command and control servers.

This talk focused on technical threat intelligence. Intelligence is harvested thanks to technical means, by “pentesting” C&C servers. Thanks to this, tactical threat intelligence can also be applied to understand methodologies of actors. Speakers begin with a brief description of the general methodology to apply these 25 techniques to gather threat Intel. Malware put in sandboxes generate lot of URLs to communicate with their command and control panel (hosted by C&C severs). These URLs are called C2 URL.

Nowadays, sandboxes are commonly used in malware analysis and forensic field.

It allows executing untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.For instance Joe sandbox consists in a Linux controller machine and several analysis virtual machines (with Windows and Android installed).To analyses malwares, it has to be send to the “Controller machine” via Joe sandbox’s web interface which will be then sent to “Analysis machines” for the actual analysis.

Example of Joe Sandboxe

It would have been interesting to know how researchers collect these malware and sources of C2 URLs in the talk. In fact, there are several methods to collect malwares:

From C2 URLs, investigation can start. The methodology used by speaker is similar to the methodology of a penetration test.

Pentest methodology


Indeed, the first step is to gather maximum information from C2 URLs. From URLs, it is sometimes possible to find publicly accessible analytics pages. These pages allow attackers to have information and trends from their victims.

The problem is that these attackers don’t want to use and maintain their own analytic server so they use public analytics services (like google analytics for instance) and researcher can sometimes access to these pages (Method 1).

Finding open directories and fuzzing common files and directories name is generally one of the first step in a penetration testing, it is called fingerprint. These techniques were used to discover command and control panels of malwares (Method 2 & 3). In addition, to understand the file’s structure, the server status brings also lot of useful information like HTTP requests done to the server that can reveal new URLs (Method 4) in the same way that server error message and debug log pages (Method 5 & 6).

Potential vulnerability detection and Attempt to exploit vulnerabilities:

Once the file structure is known, the next step can begin. Several example of insufficient authentication process were presented during the talk (Method 7). For instance by just changing the HTTP code from server response, researcher could have access to all the content of the control panel (the example quoted was Hancitor_downloader).

On authenticated to the panel, it is possible to access other panels of the C2 URLs by exploiting vulnerabilities like Session fixation (Method 8).

Session fixation

The attack consists of obtaining a valid session ID (e.g. by connecting to the application), inducing a user to authenticate himself with that session ID, and then hijacking the user-validated session by the knowledge of the used session ID. In some case it has been possible for researcher to access panels by using weak passwords or by finding hardcoded password or download config file (Method 9 & 10).

Source code review

Source code review (Method 11) could allow discovering vulnerabilities more easily than pentesting the application because we know exactly which framework is used; we know the design and implementation used. In general it allows a security team to find bug earlier in the development.

In the fingerprinting step (fuzzing URLs Method3), researcher could have found folder name which contain the panel source code. The rest of talk introduced other techniques (more or less advanced) by exploiting common vulnerabilities of web applications to gather threat intelligence about actors like for instance SQL Injection, remote command execution etc…

For more details and example quoted during the talk please refer to the podcast of this presentation.


This talks was interesting in the sense that known techniques (at least by most of pentester..I hope) were used on malwares which were quoted as example during the talk. It shows that even malware developers are vulnerable to common and well known vulnerabilities.

By the way it would have been interesting to have more details on the upstream process ( how to obtain these malwares, which techniques were used etc…).